NetWitness Community

JoshRandall · ‎2018-10-09

The RSA NetWitness Platform has multiple new enhancements as to how it handles Lists and Feeds in v11.x. One of the enhancements introduced in the v11.1 release was the ability to use Context Hub Lists as Blacklist and/or Whitelist enrichment sources in ESA alerts. This feature allows analysts and administrators a much easier path to tuning and updating ESA alerts than was previously available.

In this post, I'll be explaining how you can take that one step further and create ESA alerts that automatically update Context Hub Lists that can in turn be used as blacklist/whitelist enrichment sources in other ESA alerts. The capabilities you'll use to accomplish this will be the ESA's script notifications, the ESA's Enrichment Sources and the Context Hub's List Data Source.

Your first step is to determine what kind of data you want to put into the Context Hub List. For my test case I chose source and destination IP addresses. Your next step is to determine where this List should live so that the Context Hub can access it. The Context Hub can pull Lists either via HTTP, HTTPS, or from its local file system on the ESA appliance - for my test case I chose the local filesystem.

With that decided, your next step is to create the file that will become the List - the Context Hub looks within the /var/netwitness/contexthub-server/data directory on the ESA, so you'll create a CSV file in this location and add headers to help you (and others) know what data the List contains:

**NOTE** Be sure to make this CSV writeable for all users, e.g.:

# chmod 666 esaList.csv

Next, add this CSV to the CH as a Data Source. In Admin / Services / Contexthub Server / Config --> Data Sources, choose List:

Select "Local File Store," then give your List a name and description and choose the CSV from the dropdown:

If you created headers in the CSV, select "With Column Headers" and then validate that the Context Hub can see and read your file. After validation is successful, tell the Context Hub what types of meta are in each column, whether to Append to or Overwrite values in the List when it updates, and also whether to automatically expire (delete) values once they reach a certain age (maximum value here is 30 days):

For my test case, I chose not to map the date_added and source_alert columns from the CSV to any meta keys, because I only want them for my own awareness to know where each value came from (i.e.: what ESA alert) and when it was added. Also, I chose to Append new values rather than Overwrite, because the Context Hub List has built in functionality that identifies new and unique values within the CSV and adds only those to the List. Append will also enable the List Value Expiration feature to automatically remove old values.

Once you have selected your options, save your settings to close the wizard. Before moving on, there are a few additional configuration options to point out which are accessible through the gear icon on the right side of the page. These settings will allow you to modify the existing meta mapping or add new ones, adjust the Expiration, enable or disable whether the List's values are loaded into cache, and most importantly - the List's update schedule, or Recurrence:

**NOTE** At the time of this writing, the Schedule Recurrence has a bug that causes the Context Hub to ignore any user-defined schedule, which means it will revert to the default setting and only automatically update every 12 hours.

With the Context Hub List created, you can move on to the script and notification template that you will use to auto-update the CSV (both are attached to this blog - you can upload/import them as is, or feel free to modify them however you like for your use cases / environment). You can refer to the documentation (System Configuration Guide for Version 11.x - Table of Contents) to add notification outputs, servers, and templates.

To test that all of this works and writes what you want to the CSV file (for my test case, IP source and destination values), create an ESA alert that will fire with the data points you want capture, and then add the script notification, server, and template to the alert:

After deploying your alert and generating the traffic (or waiting) for it to fire, verify that your CSV auto-updates with the values from the alert by keeping an eye on the CSV file. Additionally, you can force your Context Hub List to update by re-opening your List's settings (the gear icon mentioned above), re-saving your existing settings, and then checking its values within the Lists tab:

You'll notice that in my test case, my CSV file has 5 entries in it while my Context Hub List only has 3 - this is a result of the automatic de-duplication mentioned above; the List is only going to be Appending new and unique entries from the CSV.

Next up, add this List as an Enrichment Source to your ESA. Navigate to Configure / ESA Rules --> Setting tab / Enrichment Sources, and add a new Context Hub source:

In the wizard, select the List you created at the start of this process and the columns that you will want to use within ESA alerts:

With that complete, save and exit the wizard, and then move on to the last step - creating or modifying an ESA alert to use this Context Hub List as a whitelist or blacklist.

Unless your ESA alert requires advanced logic and functionality, you can use the ESA Rule Builder to create the alert. Within your alert statement, build out the alert logic and add a Meta Whitelist or Meta Blacklist Condition, depending on your use case:

Select the Context Hub List you just added as an Enrichment Source:

Select the column from the Context Hub List that you want to match against within your alert:

Lastly, select the NetWitness meta key that you want to match against it:

You can add additional Statements and additional blacklists or whitelists to your alert as your use case dictates. Once complete, save and deploy your alert, and then verify that your alerts are firing as expected:

And finally, give yourself a pat on the back.

AlejandraMoren1 · ‎2018-11-05

Hello, sorry for bothering you, but I can't correctly see the file ESA Script_forCsvOutput.
Please, Could you help me?

Anonymous · ‎2018-11-05

Hi Alejandra, according to the note it seems to be that you need to import the template as this note says:

https://community.rsa.com/docs/DOC-80351

regards

JoshRandall · ‎2018-11-05

Yes, that one is the ESA template that needs to be imported into the UI.

Apologies for the confusion, I should have named the attachments so that it is more clear what's what. I've renamed them:

'EsaScriptOutputToCsv.py.zip' is now --> 'EsaScript_writeToCsv.zip'
'ESA Script_forCsvOutput.zip' is now --> 'EsaTemplate_forCsvOutput.zip'

DeepakShukla2 · ‎2019-04-05

Hi Joshua,

First of all it's really a great article!

Does the script file has to to imported under System > Global Notification > Servers ? If yes, then I am getting below error while doing so. Where I am missing? Thanks in Advance

There was an error uploading your file

JoshRandall · ‎2019-04-05

Hi Deepak,
Thanks, I’m glad you’re finding it useful (or at least, will find it useful).

The Servers tab is where you’ll need to define a Script Server – the Name and Description here can really be anything you want, but I’d recommend something descriptive to help tell you what it is when you need to do anything with it later. Here is what mine looks like:

The script itself will need to be copied and pasted in the Output tab. You’ll need to create a new Script output or edit an existing one:

Give it a name, and then copy your script into the “Script” window:

RahulSingh · ‎2020-06-01

Hi Josh,

This feature is really helpful but unfortunately it is not working for me. I used same script and template attached by you in the blog and folowed the same steps as you demonstrated . I only modified file name in script code and rest is as it is used. Rule triggered many times but list is not being updated . I do not know why it is not working . Could you help me to identify where could be the issue and i will check there for correction. While checking the list in context hub below error is showing . I am using 11.3.1 version.

JoshRandall · ‎2020-06-01

Hi Rahul,

Since you're running a version newer than 11.3, you should check this out: https://community.rsa.com/community/products/netwitness/blog/2019/04/12/113-changes-to-esa-script-outputs

Those changes are the most cause of your issues, even though your alert is firing. You can check the Correlation Server log on the ESA at ‘/var/log/netwitness/correlation-server/correlation-server.log' or the Integration Server log on the Admin Server's at ‘/var/log/netwitness/integration-server/integration-server.log' and look for WARN and/or ERROR messages errors on ‘Notification' events.

Additionally, because the script will run from the Admin Server (instead of the ESA) the file you are creating/writing to with your script will be on the Admin Server's filesystem. If you place that file in ‘/var/netwitness/common/repo' on the Admin Server, it will be available over HTTP/S at ‘https://<node0_IP_or_FQDN>/nwrpmrepo/<filename.csv>' which you can connect to from the "Add Data Source” wizard directly from the Correlation Server's config page, or via the ‘Custom Feed' wizard in the UI's Configure/Custom Feeds module.

If you do choose either of those options, I'd also recommend taking a look at this to ensure you can access the file over HTTP/S from the NetWitness UI: https://community.rsa.com/community/products/netwitness/blog/2020/04/16/easy-add-recurring-feeds

RahulSingh · ‎2020-06-02

Hi Josh,

Thank you so much for help. I will use below method you suggested .

Additionally, because the script will run from the Admin Server (instead of the ESA) the file you are creating/writing to with your script will be on the Admin Server's filesystem. If you place that file in ‘/var/netwitness/common/repo' on the Admin Server, it will be available over HTTP/S at ‘https://' which you can connect to from the "Add Data Source” wizard directly from the Correlation Server's config page, or via the ‘Custom Feed' wizard in the UI's Configure/Custom Feeds module.

Regards,

Rahul Singh

RahulSingh · ‎2020-06-02

Hi Josh,

If I put file in admin server in directory ‘/var/netwitness/common/repo’. Then how the script will write data to the stored file in repo directory when alert triggers. Do i need to make any changes in path where the file is kept in the script or I can use same script as it is. My primary requirement is to populate csv file with username, ip address from ESA alert. Please guide me where I need to make change in the script. Also I am requesting you to create a similar blog for 11.3 .x.x version , it will be great help for most of the customers.

#!/usr/bin/env python

import csv

import datetime

import json

import sys

def dispatch(alert):

"""

The default dispatch just prints the 'last' alert to /tmp/esa_alert.json. Alert details

are available in the Python hash passed to this method e.g. alert['id'], alert['severity'],

alert['module_name'], alert['events'][0], etc.

These can be used to implement the external integration required.

"""

with open("/tmp/esa_alert.json", mode='w') as alert_file:

alert_file.write(json.dumps(alert, indent=True))

def writeToCsv():

esa_alert = json.loads(open('/tmp/esa_alert.json').read())

events = esa_alert['events']

dateAdded = esa_alert['time']

sourceAlert = esa_alert['module_name']

for i in range(len(events)):

try:

ipSrc = esa_alert['events']['ip_src']

except KeyError:

ipSrc = ''

try:

ipDst = esa_alert['events']['ip_dst']

except KeyError:

ipDst = ''

with open('/var/netwitness/contexthub-server/data/esa_test.csv', 'a') as csv_file:

writer = csv.writer(csv_file)

writer.writerow()

if __name__ == "__main__":

dispatch(json.loads(sys.argv[1]))

writeToCsv()

sys.exit(0)

JoshRandall · ‎2020-06-02

Hi Rahul,

Yea, I was thinking yesterday that I might need to either update this blog or make a new one.

In the meantime, you can refer to this post here: https://community.rsa.com/community/products/netwitness/blog/2019/10/14/contextualizing-ja3-fingerprints

The ja3context.py script attached to that blog is intended for 11.3+ environment, and has a couple examples of where/how to create the alert JSON files to avoid write contention when lots of alerts might be firing simultaneously (borrowed from Sean Koniarz's comment here: https://community.rsa.com/community/products/netwitness/blog/2019/01/04/dynamic-email-alerts-with-esa#comment-39000), and where/how to create the CSV on the admin server.

That script also includes a deduplication function, which you may or may not want for your use case.

RahulSingh · ‎2020-06-03

Thank you Josh

NetWitness Community

Auto-updating Context Hub Lists from ESA Alerts